Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
30390
Views
23
Helpful
35
Comments

Dual SSID BYOD with Apple Captive Network Assistant (CNA) Browser

howon
Cisco Employee
Cisco Employee

‎02-01-2017 11:43 AM - edited ‎03-23-2020 02:35 PM

 

Please reference this table for defect info

Apple CNA (Captive Network Assistant, AKA Apple mini browser) is a Apple iOS feature that allows a browser like window to pop-up whenever network access is needed and the CNA determines that the network requires user interaction to gain full network access. This typically happens when the user associates to an open wireless LAN and even though an IP address is provided to the device, the network still restricts the user to take further actions, such as accepting an AUP, providing a shared password, or logging in as a guest user. This enhances user experience as it saves the user from manually opening up a Safari browser window. It also provides assistance even during non-initial association to the WLAN. For instance, if the endpoint device goes into sleep mode and the session is torn down on the WLC and subsequently the user tries to use a non-web browser application that requires network connectivity, the iOS device can sense that the device is in captive portal state and pop-up the mini browser for user to take further action to gain network access. As one can see having the iOS CNA feature operate on a guest network is a good idea, however, when BYOD is enabled on the same WLAN, as is the case with ISE dual-SSID flow, the CNA breaks the ISE BYOD process. One of the reason for that is due to ISE BYOD process forcing the CNA mini browser to go into the background as it asks the end user to accept the iOS profiles, which includes CA certificate and enrollment package, and when the CNA mini browser is moved to the background it immediately disconnects the device from the WLAN, which in turn breaks the BYOD process.

 

Prior to ISE 2.2, the ISE was setup to warn the user that the browser is not supported and user had no easy way aside from reporting it to the network administrator and subsequently the administrator had to enable captive bypass on the WLC which disabled the pop-up of the CNA mini browser on the controller level. Unfortunately, the captive bypass feature on WLC 8.3 and below required to be ran controller wide, which meant that all of the WLANs that the controller was servicing disabled the apple CNA. Cisco ISE version 2.2 is the first version to support Dual-SSID BYOD flow through Apple CNA. This document explains how to configure the ISE and Cisco WLC to provide Dual-SSID BYOD even when the captive portal bypass feature is disabled on the WLC. For other options on how to deal with Apple CNA, please go to: Dealing with Apple CNA (AKA Mini browser) for ISE BYOD

 

This document will leverage pre-defined policy rules and elements for dual SSID BYOD configuration. Also, this document assumes that the WLC is already configured with baseline WLC configuration for ISE. For more information on the baseline WLC ocnfiguration please refer to: How To: Universal Wireless Controller (WLC) Configuration for ISE

 

User experience:

(view in My Videos)

  1. User associates to OPEN SSID
  2. Apple CNA mini browser pop-up
  3. User enters employee ID (ISE recognizes non guest accounts to be employee users)
  4. User is asked to wait for ‘Done’ in the upper right corner and click the link which pops up the full Safari browser to continue with BYOD process
  5. User starts BYOD flow and enters description for the device
  6. Downloads root CA certificate & enrollment profile (Certificate + WiFi settings)
  7. User is asked to connect to secure SSID
  8. User has Full network access

 

Components:

Cisco ISE version 2.2+

Cisco WLC 7.6+ for DNS ACL feature; not possible with FlexConnect local switching WLAN as DNS ACL is not supported for locally switched traffic

Note: If running WLC 8.4+ code then the captive portal bypass can be enabled per WLAN instead of globally. It still does not allow administrator to use a single WLAN for both CNA enabled guest access and employee BYOD, but allows them to enable captive portal bypass selectively per WLAN instead of controller wide.

Cisco Wireless Controller Configuration Guide, Release 8.4 - WLAN Security [Cisco Wireless LAN Controller Software] - …

 

Cisco WLC:

(Optional) Disable captive portal bypass

  1. If previously enabled, go to the CLI of the WLC and disable captive portal bypass by running 'config network web-auth captive-bypass disable'
  2. Save config
  3. Reset system for the settings to take affect

 

Create Additional ACL for Apple iOS devices to provide ‘Done’ on the CNA mini browser (Note: This ACL provides full network access for the endpoint temporarily during BYOD process. This is necessary to suppress Apple CNA)

  1. Go to WLC GUI and navigate to SECURITY > Access Control Lists > Access Control Lists
  2. Click 'New...' in the upper right corner
  3. Name the new ACL ' ACL_APPLE_CNA'
  4. Add Deny any IP traffic to 1.1.1.1/255.255.255.255
  5. Add Permit any IP traffic to any
  6. Example shown below

Screen Shot 2017-02-01 at 1.51.39 PM.png

 

ISE:

Perform Posture Update (Required for ISE to recognize the OS)

  1. Go to ISE GUI and navigate to Administration > System > Settings
  2. On the left hand menu, click on Posture > Updates
  3. Click on 'Update Now' (Will take about 20 minutes to update, you can navigate away and perform rest of the steps below)

 

Configure Guest portal to provide BYOD for employee users

  1. Go to ISE GUI and navigate to Work Centers > Guest Access > Portals & Components
  2. Click on the 'Self-Registered Guest Portal (default)' (Or the portal that is going to be used for dual-SSID BYOD flow)
  3. Click on 'BYOD Settings' and enable 'Allow employees to use personal devices on the network' option
  4. Click 'Save'

Screen Shot 2017-02-01 at 12.47.20 PM.png

 

Create Additional Authorization profile to redirect any traffic that matches destination of 1.1.1.1

  1. Navigate to Policy > Results > Authorization > Authorization Profiles
  2. Click 'Add' to add a new AuthZ profile
  3. Enter 'NSP_Apple_CNA' as name
  4. Under Common Tasks section check 'Web Redirection (CWA, MDM, NSP, CPP)' and select Centralized Web Auth, enter 'ACL_APPLE_CNA' for ACL, and select 'Self-Registered Guest Portal (default)' from the list
  5. Click 'Save'

Screen Shot 2017-02-01 at 12.45.01 PM.png

 

Create Authorization policy rule for Apple iOS device

  1. Navigate to Policy > Authorization
  2. Insert a New Rule Above the 'Wifi_Redirect_to_Guest_Login' and create a policy rule named 'Employee_Onboarding_Apple_CNA'
  3. For the condition of the rule, select 'Add Condition from Library' and then select Compound Conditions > Wireless_MAB
  4. Add another condition using 'Add Attribute/Value' and then select Sessions > BYOD-Apple-MiniBrowser-Flow, select 'Equals' then 'Yes'
  5. For the Permissions, select 'Standard' > 'NSP_Apple_CNA'
  6. Click 'Done' for the policy rule
  7. Click 'Save' on the bottom to save the policy

Screen Shot 2017-02-01 at 12.45.39 PM.png

 

ISE Live Log:

1.png

  1. User associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page
  2. User enters employee user ID ' employee1' and password on the WebAuth portal
  3. A successful login triggers CoA (Change of Authorization)
  4. After CoA endpoint is assigned 'NSP_Apple_CNA' which permits temporary web access so the Apple CNA is no longer enforced. At this stage only traffic to 1.1.1.1 is redirected and used to guide user through BYOD process using full browser
  5. Once BYOD process is completed, user connects to secured SSID and gets 'PermitAccess' Authorization Profile
Comments
tmpoff
Level 1
Level 1
‎08-02-2017 11:38 AM

Patch 2 came out last week.  It supposedly fixes the issue with IOS v10.3.1.

The issue is not fixed.  When i click on the link that states 'Click HERE after you see Done", it opens the BYOD window in the Mini-Browser and does not launch Safari to continue the onboarding process.

The Bug (CSCve39167) has a status of 'Fixed'.  It is not fixed.  Anyone else have any input?

Jason Kunst
Cisco Employee
Cisco Employee
‎08-02-2017 11:44 AM

They have a fix but it hasn’t been integrated into a patch. Right now it says Patch 4, I will dboule check with our development

Also make sure you have a TAC case assigned to it as I don’t see many of those. And work through TAC if its critical, I would recommend you don’t use Dual SSID with mini browser unless absolutely critical.

tmpoff
Level 1
Level 1
‎08-02-2017 12:00 PM

Thank you Jason.

I just re-read the v2.2, Patch 2 release notes and you are right that the bug listed above is not in the resolved list.

There were two bugs we were working through TAC.  One of the bugs (CSCvd18121) was resolved with patch 2 and we have confirmed that works now.

The main bug as described here we have also tried to work through TAC.  We were told it was going to be resolved in late July.  It is now August.  In addition, the bug on the site is listed as 'Fixed'.  Why is it listed as fixed if its not fixed?

They released Patch 2 and changed the status of both the bugs to fixed so I assumed it was resolved in the patch.

Jason Kunst
Cisco Employee
Cisco Employee
‎08-02-2017 12:04 PM

Its not best to get in discussion on a how-to thread. If you want to discuss more then bring up new one.

Apologies but it has been pushed out. Fixed means they have a fix, doesn’t mean it made a patch or release until its verified in a release. I would go through tac and ask them if there is a way to get a hotfix if available.

tmpoff
Level 1
Level 1
‎08-02-2017 12:56 PM

Thanks Jason.

I learned something new.  I thought that 'fixed' meant a fix is available.

Jason Kunst
Cisco Employee
Cisco Employee
‎08-07-2017 03:25 PM

They are pushing for this in patch 4, we don't publish these dates externally.

j656
Level 1
Level 1
‎08-08-2017 12:19 PM

Does anyone know if ISE 2.3 resolves this issue?

Jason Kunst
Cisco Employee
Cisco Employee
‎08-08-2017 12:28 PM

CSCve39167 Dual SSID BYOD with Apple Captive Network Assistant (CNA) Browser process continues in same browser


This is not fixed in 2.3 and not slated for patch 1, too early to tell on if it will make patch 2


make sure you have a tac case attached to the defect

emasters
Level 1
Level 1
‎10-17-2017 06:43 AM

Since a couple months have passed, have their been any indications of future patch releases?

Jason Kunst
Cisco Employee
Cisco Employee
‎10-17-2017 06:59 AM

there is no current status on the next patch. Please make sure you open a tac case and attach to the defect. I would suggest bypassing use of the mini browser for BYOD as a workaround

foozed
Level 1
Level 1
‎11-08-2017 04:13 AM

TAC unable to help with our ISE issues with Apple CNA as well.

Jason Kunst
Cisco Employee
Cisco Employee
‎11-08-2017 08:41 AM

If critical requirement to do BYOD with mini browser, please escalate to TAC duty manager , the bug is resolved and waiting to be put in a patch, perhaps they can get a hot fix for you, otherwise would recommend bypassing CNA on the WLC with captive bypass command

trcolber
Cisco Employee
Cisco Employee
‎02-05-2018 03:50 PM

Per the bug CSCve39167 details, it states Apple fixed this issue in 11.0 (shown below). Do we know if this includes all 11.x iOS trains? Have a cx running 11.2.2 and facing same issue where 'Done' is not showing up after iOS client is provisioned. Everything works fine if we cancel the mini browser and manually open browser page using Safari to do the BYOD provisioning.


Note: Apple has resolved this issue in iOS11.0 (apple bug# 32350647). So workaround is not needed in iOS11.0"

tlenzenh
Cisco Employee
Cisco Employee
‎02-27-2018 09:47 PM

Hi All,

thanks for the great writeup Hosuk, very useful. I got one issue I wanted to ask for some advise. I am trying to get this working for a customer but in my lab setup I am stuck at the stage where the mini browser is supposed to show 'Done'. What needs to happen in the background in order for this 'Done' to appear? The authentication of the user in the Guest Portal works fine but the mini browser never shows 'Done'. I assume it would show in the same place where the 'Cancel' appears earlier? The Cancel never goes away, hence I never even get to the stage where BYOD provisioning starts.

Any ideas what I am missing here? I'm running ISE 2.2 Patch 6.

Thanks

Thomas

adil.pasha@syf.com
Community Member
‎04-26-2018 08:15 AM
What does it mean? 'both CNA enabled guest access and "dual-SSID" on the same WLAN' As I understand WLAN = SSID, but this statement seems different.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents